Topics

Teleport 2.6 Audit Report is Available

Jun 1, 2018
by
Russell Jones

Teleport will be three years old in just a few weeks. Since its public debut in June 2016,
Teleport has been adopted as a PAM solution for SSH by numerous individuals and companies - from start-ups to large enterprises such as banks,
semiconductor manufacturers, stock exchanges and government entities.

While we are happy with what we have achieved, three years is still a very young age
for a priviledged access management product central to cyber security. That is why we remain
committed to regularly performing full security audits (as in “all source
code”) by industry-trusted third parties.

Today, we are announcing another full security audit performed by Cure53.

Who is Cure53?

Cure53 is a team of security researches based in Germany.
We like working with them due to their reputation in auditing open source
projects and the fact that they publish results publicly for the community to see.

Audit Findings

The full text of the report (PDF) can be downloaded here
The summary of the findings is:

No critical vulnerabilities have been discovered.

One high vulnerability was found: The roles API of the auth server allow directory traversal.

Two medium issues have been discovered.

Two “info” level issues have been discovered.

The latest 2.6.0 release already contains patches for these issues.

Quoting from the report:

Of the five discoveries made during this test, one is considered to be a
security vulnerability issue, while the other four were classified as general
weaknesses.

IMPORTANT: The discovered issues have been patched and patches were provided for 2.5.x
and 2.4.x series (published as 2.5.8 and 2.4.8)

Conclusions

Quoting the “Conclusions” section of the report:

The results of this second-run Cure53 security assessment of the latest
release of the Teleport software by Gravitational are once again very
positive. With the first Cure53-Gravitational collaboration already yielding
good results, the fact that this time the findings are few and far between
across the board is very much praiseworthy…

Contact us

For more information about Teleport, you can take a look at the
documentation or the
Github repo. It is open sourced, so
feel free to dig in - issues and/or pull requests are welcome. Also, feel free to
reach out via email if you have additional questions: [email protected].